You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2017/08/17 08:03:37 UTC
[Bug 61436] New: Permissive TLS connection allowed when connecting
from localhost
https://bz.apache.org/bugzilla/show_bug.cgi?id=61436
Bug ID: 61436
Summary: Permissive TLS connection allowed when connecting from
localhost
Product: Apache httpd-2
Version: 2.4.27
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: rubimazaki@gmail.com
Target Milestone: ---
When configuring our Apache server to support only TLSv1.2 (multiply checked by
external connections to confirm that only that suite is supported) - we
succeeded connecting the server with lesser TLSv1 from local host. Our client
is based on Python 2.7.6 (no support for TLSv1.2) and will not connect from a
remote IP, but DOES succeed from localhost.
Seems like a security hole to us because it allows any third party app to
connect via port 443 with the server without it required to authenticate.
Configuration files:
/etc/apache2/httpd.conf
=======================
WSGIPythonOptimize 0
WSGIScriptAlias / /opt/asdf/cpmserver/wsgi.py
WSGIPythonPath /opt/asdf/cpmserver/
Options -Indexes
Alias /static/ /opt/asdf/cpmserver/static/
<Directory /opt/asdf/cpmserver/>
<Files wsgi.py>
Order deny,allow
Allow from all
</Files>
</Directory>
<VirtualHost _default_:443>
ServerName https://example
SSLProtocol -all +TLSv1.2
SSLEngine on
SSLCertificateFile /opt/asdf/cert/cpm_server.crt
SSLCertificateKeyFile /opt/asdf/cert/cpm_server.key
WSGIPassAuthorization On
WSGIDaemonProcess debug threads=1
WSGIProcessGroup debug
</VirtualHost>
/etc/apache2/mods-available/ssl.conf
====================================
<IfModule mod_ssl.c>
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
# (The mechanism dbm has known memory leaks and should not be used).
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
# (Disabled by default, the global Mutex directive consolidates by
default
# this)
#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate. See the
# ciphers(1) man page from the openssl package for list of all
available
# options.
# Enable only secure ciphers:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
# Speed-optimized SSL Cipher configuration:
# If speed is your main concern (on busy HTTPS servers e.g.),
# you might want to force clients to specific, performance
# optimized ciphers. In this case, prepend those ciphers
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
# Caveat: by giving precedence to RC4-SHA and AES128-SHA
# (as in the example below), most connections will no longer
# have perfect forward secrecy - if the server's key is
# compromised, captures of past or future traffic must be
# considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on
# The protocols to enable.
# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
# SSL v2 is no longer supported
SSLProtocol -all +TLSv1.2
# Allow insecure renegotiation with clients which do not yet support
the
# secure renegotiation protocol. Default: Off
#SSLInsecureRenegotiation on
# Whether to forbid non-SNI clients to access name based virtual
hosts.
# Default: Off
#SSLStrictSNIVHostCheck On
</IfModule>
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61436] Permissive TLS connection allowed when connecting from
localhost
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61436
Stefan Eissing <st...@eissing.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
OS| |All
--- Comment #1 from Stefan Eissing <st...@eissing.org> ---
When you run
> openssl s_client -tls1_1 -connect localhost:443
what is the result? Is there a difference if you change the protocol config to
SSLProtocol +TLSv1.2
? Thanks!
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61436] Permissive TLS connection allowed when connecting from
localhost
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61436
juniorolalde55@gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61436] Permissive TLS connection allowed when connecting from
localhost
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61436
--- Comment #5 from rubimazaki@gmail.com ---
Okay,
Please allow us to check this before closing the bug report.
Thanks.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61436] Permissive TLS connection allowed when connecting from
localhost
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61436
--- Comment #3 from rubimazaki@gmail.com ---
When setting:
SSLProtocol +TLSv1.2
I get the same results:
> openssl s_client -tls1_1 -connect localhost:443
CONNECTED(00000003)
139898031838880:error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert
protocol version:s3_pkt.c:1262:SSL alert number 70
139898031838880:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1502959693
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61436] Permissive TLS connection allowed when connecting from
localhost
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61436
--- Comment #4 from Stefan Eissing <st...@eissing.org> ---
Thanks, SSLProtocol is supposed to be the same, just wanted to make sure.
Thanks for the output, it shows that the handshake failed, as it should. I
assume that if you use -tls1_2 it will succeed and leave the connection open
until you ^C.
Seems to me that the simplest explanation is that your python is linked against
a modern openssl and speaks TLSv1.2 when needed.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61436] Permissive TLS connection allowed when connecting from
localhost
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61436
--- Comment #2 from rubimazaki@gmail.com ---
with:
SSLProtocol -all +TLSv1.2
running:
openssl s_client -tls1_1 -connect localhost:443
outputs:
CONNECTED(00000003)
140635205007008:error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert
protocol version:s3_pkt.c:1262:SSL alert number 70
140635205007008:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1502959441
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org